Slashdot Mirror
Bruce Schneier: IoT + DMCA = More Monopolies, Limits On Consumer Choice (theatlantic.com)
New submitter OldMan17 writes: On Dec 24, while many of us were busy in a frenzy of commercial excess and socially-conditioned good cheer, The Atlantic published an article by Bruce Schneier predicting that the IoT will be abused in conjunction with DMCA to make our lives worse instead of better. Some of the precedents he cites are old news, but I expect we will have a lively debate in the comments as to whether the over-arching conclusion is justified by his arguments. When everything is online, laws made for "the internet" suddenly apply to everything.
Which places even more limits on Consumer Choice.
https://wikileaks.org/tpp-ip3/
web site take-downs without court orders?
Illegal to modify devices you own?
etc.
The Internet of Things (IOT) is being driven by commercial interests that are more interesting in spying (known in commercial circles as marketing) and in control. Benefits will accrue, but they will not accrue to the people paying for the gear, which makes the IOT value subtracting for the average citizen.
Internet of Things devices could watch me while I sleep.
So does Santa Claus... So be good, for goodness sake!
“He’s not deformed, he’s just drunk!”
His example of the Hue dustup was a poor, poor choice as example there.
1) Hue bulbs use ZigBee Light-Link Profile.
2) The bulbs (all of them...ALL OF THEM in the IoT space right now) cannot be re-flashed.
3) In order to get a permanent private key for each SKU shipped using ZigBee LL Profile, the devices must conform to the spec and properly interoperate. So, they can't dink with the bulbs, period.
4) The only place you can even possibly DO what Phillips attempted to do would be to dink with the final phases of the LL handshake, wherein the coordinator (the gateway puck) would allow federation with the mesh or not at the last part of the process, based on manufacturer and manufacturer ID, and just drop the federation request on the floor if it didn't match the list.
5) It's not DRM, per se. Worse, it's NOT compliant with the ZigBee spec. Not sure how the Consortium would handle a revocation of things like that, but the Coordinator in that configuration no longer complied with the spec (which is to allow Home Automation and Light-Link protocol devices ONTO that mesh and be able to control them, period.
6) Better yet, there were competing products (Iris, Wink, etc.) that could work with Phillips' crap because of the ZigBee spec. While some of them don't have an "API" to drive it via PC, some do- and moreover, some of them let you have ZB and Z-Wave light controls signal lights on and off or to federate clusters of bulbs with a control panel that acts like a Light Switch. Phillips just simply cut their own throats by trying this. People can go buy up their RGB bulbs or Osram's...and get the same basic functionality as Hue provided...for less money in most cases.
General purpose computers are on their way out. One decade or less and you won't be able to buy one. With no spare parts, those still existing will stop working very soon. But way before that happens you won't be able to connect to the internet without a "certified" device. This will happen. There is no way to stop it.
Most people don't want nuance on the extent they own the goods they buy. This horse shit about you owning the physical properties, but licensing the software that is essential to its function is going to drive a deeper wedge between the public and IP than the corporate sector realizes. When your property rights become antithetical to mine, guess whose rights I'm going to choose...
Internet of Things devices could watch me while I listen to the Backstreet Boys.
You sick bastard, the Backstreet Boys? Really?
Off with your head.
Just cruising through this digital world at 33 1/3 rpm...
You definitely don't need a frigging Internet connected LIGHTBULB.
I have a few frigging Internet connected lightbulbs, and while they are not "needed", they are certainly convenient. The bulb on my porch is controlled by an IoT motion detector, which also triggers an IoT camera, and sends an alert to my cellphone. The bulb in my kitchen is integrated with both a motion detector, and my Amazon Echo, so I can control it with voice. I save electricity, have better physical security, and I no longer have to get up on cold winter nights because my wife hears a noise. If the motion detector hasn't triggered, then I ain't gettin' up.
White People Problems
Regardless of whether you're a white, black, brown, or pink-and-purple-polkadot, Mister Anonymous Coward, you are a racist and therefore part of the problems here in the United States just because you put things in those terms. I'm dead serious. The Human Race in general needs to get over this sort of shit, and if you're black? You need to stop perpetuating your own racial stereotypes, and you need to stop your own anti-white racism, because all you're accomplishing is perpetuating the vicious cycle of racism all around; knock that shit off.
ALL lives matter, not just Black lives, and anyone who doesn't agree with me can GO FUCK THEMSELVES.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Here is where things get nefarious. IoT are like social networks. In the past, you could just tell people where to stick it when they talked about their livejournal, MySpace, or Orkut stuff. However, if one doesn't have a LinkedIn account, FB account, and a Twitter account, you will be turned down for jobs.
I know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.
IoT has the potential for being just like that. For example, the Bluetooth deadbolt. It might be that apartment managers and other landlords install IoT security devices because it makes their job easier to lock out tenants being evicted, know who is going into a tenant's place, or to let maintenance in on a schedule regardless if the tenant wants it or not. For more flexible for the property owner, and the tenant would have no choice in the matter.
Insurance can also demand IoT devices, say CCTV monitoring and file storage, or IoT deadbolts and other devices so they can be assured that a property is secured when the owners are away. If this isn't done, they won't renew the policy.
Then, there is the phone home aspect. Pull the internet connection on a modern console, it halts. I wouldn't be surprised if a future HDCP spec that requires all devices to authenticate with a central server for a healthcheck every so often, would require that all TVs and such be always on and in communication. As per the EULA of the TV, video and audio would also be sent back for "IP enforcement purposes". If someone disagrees with that... well, good luck with the no-sue arbitration agreement they agreed to...
Next comes devices. Take the refrigerator for instance. Good luck trying to find a completely mechanical one with a thermostat and compressor that runs for decades. Most have various computer controls. It wouldn't be surprising that IoT functionality is important, and no network connection means the device does not function, especially if the fridge maker starts demanding license keys to activate the ice maker, crisper section, and such.
The key is to not just avoid buying IoT shit, but make it -damn well known- that you will never buy that because you don't want another route an intruder can trespass into your home. Because IoT security is so weak, and there is zero incentive for companies to actually do something about it, it needs to die on the vine.
The trouble with ZigBee is that "ZigBee compliant" doesn't mean different devices will actually work together. Z-Wave, a more restrictive and more proprietary system, actually works better. And that illustrates what's wrong with Schneier's reasoning: forcing platforms and protocols to be open does not necessarily make life easier for consumers, because something being proprietary can result in better user experiences, as the owner of that technology has a stronger financial interest in policing it. Apple devices are another example of this. Many technologies that we now think of as "open" started off as proprietary.
Nevertheless, I think the DMCA is overreach and unnecessary: there shouldn't be legal penalties for reverse engineering or making compatible implementations. On the other hand, we should also not mandate open protocols and not scream bloody murder every time someone comes up with a proprietary system or puts up barriers to interoperability.
As for home automation, there is no "monopoly" and no sign of one: there are a dozen different standards, some open, some mildly proprietary, and some completely proprietary, plus hundreds of vendors. Let the market decide which model works best. I don't think it will be full ZigBee, because that "standard" is a mess.
Then in exchange for "convenience" (although your setup sounds ridiculous) you give away your rights.
What "rights" have I given away?
Frank Herbert wrote a series of novels and short stories about a future in which the Government had become efficient, and because of that, sorely oppressive. In order to restore basic freedoms, a Ministry of Sabotage was instituted, whose job it was to throw wrenches into Government projects, especially ones that intruded into the basic freedoms of the populace.
Edward Snowden comes to mind...
Don't take life too seriously; it isn't permanent.
...but that would require you to have some balls.
He does, but they're connected to the Internet.
It must have been something you assimilated. . . .
Tl;dr: https://xkcd.com/605/
Actually you misunderstand. Let me provide you with a point, As the demand for internet connected cars increases, you assume it will continue to increase. This is a logical fallacy. Imagine that the rate has increased 1% per year for the last 20 years and is now at 70%. Over 30 years you would expect the trend to continue to 100%. But why stop then? After 40 years you would have 110% demand, which is impossible.
There will be internet-less cars forever. They may decrease in prevalance, but they will remain. If 5% of the population wants an internet-free vehicle and 70% of vehicles are internet powered, that 5% demand has no effect on the market. But as soon as 96% is reached that leaves 4% of cars internet-free, while 5% of consumers want them. This will cause a price spike in internet free cars and car manufacturers will increase production to reach equilibrium with demand.
I think the SDOs (ISO, ANSI, IEEE, etc) made a fundamental mistake when they decided to accept patented technologies as part of formal (de jure) standards.
If I were King, the FRAND license cost for any patent that appears in a de jure standard would be $0. If the patent-holder won't give up the rights, then the technology should not appear in a standard. Now that clearly would restrict what can be standardized, but that's a tradeoff that both society and patent holders should accept.
(And technology R&D funded by governments should be royalty/license free. DoD certainly used to do that, and look at the advantages -commercial companies- have gotten from the fact that the basic Internet protocols are royalty free/not patented.)
It wouldn't be worth the time, since I found a far better place to be at anyway, job-wise.
As for FB/whatever, I decided to make an account, and keep them around. I now use Twitter for announcing GitHub releases I make. That way, the account is of actual use.
As for IoT, whining about is not going to do much. However, there are a few ways to actually make IoT truly secure... not secure as in the sense of "locking it down" secure... but secure as in resisting unauthorized intrusions, modifications, deletions... the classic sense.
Three ways to make it work:
1: Get some people who know what they are doing, such as Bruce. Make a UL type independent organization whose job it is to check security of products in both white-box testing and black-box testing. Security such as resisting attacks via the network, ease of resetting the device, should the owner lose the password, how firmware updates are handled [1], how the device reacts to intrusion attempts, internal security like chrooting, signed executables, SELinux, ASLR, and other methods. Have the independent organizations's approval a must for the device to be sold. Of course, this invites regulatory capture, and genuine security can easily be perverted into "keeping the user out" security... but anything in IoT is better than nothing.
2: Move to a different topology for IoT devices than having the devices connecting directly to the Internet via a 3G/4G connection or using a Wi-Fi access point. Instead, the devices should communicate on the LAN basis to a hardened appliance... and that appliance does the sending and receiving for the devices. This way, the "smart toaster" communicating to the hub via BlueTooth will be extremely difficult to hack because it sends the user's toaster preferences up through the BT hub, which then relays it through the Internet. Going with a hub/spoke, with redundant hubs possible, would significantly decrease the attack surface of IoT devices.
3: Use the principle of least privilege. If an Internet connection isn't needed (say for a device to work as a remote), use Bluetooth. If the device has to have an Internet connection for updates, have documentation that describes the sites it connects to [2], and what ports that it should be allowed. Anything else should be blocked. The device should even enforce this in its OS firewall (netfilter for Linux, for example) to protect against unauthorized processes trying to get out. If "smart" functionality isn't needed, don't bother with it.
Take the "smart" refrigerator. If appliance companies wanted to make something expensive, why not a fridge with two cooling mechanisms... the standard compressor that plugs into the wall, and an absorption mechanism which can be powered by electricity, natural gas, or propane. This way, if there is a power blackout, the fridge still retains cooling capacity, and with a thermalelectric generator (think a Peltier running in reverse), would have enough power to keep the core circuit board running. I'm sure there would be more demand for a fridge that keeps the food cold if power goes out, than a fridge which can display ads 24/7 on the screen.
[1]: I believe in the old school idea of a physical button or switch that is used before flashing firmware... but this isn't something that can be done if the device is not physically accessible, so maybe a fallback would be some other mechanism. That way if the RSA key is compromised, the vendor can use a different, but still secure, way to get the updates to devices.
[2]: Ideally, it should just fetch a signed manifest via SSL, and go from there. If the embedded OS is Linux, it could even use an existing package manager like Yum or apt so that wheel doesn't have to be reinvented.
That brings new meaning to "hacking 127.0.0.1" now doesn't it?
"So long and thanks for all the fish."
Did you fail to read in the GP post that the interviewer told him that he was too old? "Too old" is one of those "few other specific criteria".
The real "Libtards" are the Libertarians!